In the systemd-nspawn case, while we need to be root to call the build, we still need to chown the output files.
This regressed rpmdistro-gitoverlay which was expecting to be able to `link()` the SRPMs, and it couldn't because they were root owned. --- py/mockbuild/backend.py | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/py/mockbuild/backend.py b/py/mockbuild/backend.py index c342573..414475c 100644 --- a/py/mockbuild/backend.py +++ b/py/mockbuild/backend.py @@ -193,14 +193,14 @@ class Commands(object):
buildstate = "build phase for %s" % baserpm self.state.start(buildstate) + # remove rpm db files to prevent version mismatch problems + # note: moved to do this before the user change below! + self.buildroot._nuke_rpm_db() + dropped_privs = False try: - # remove rpm db files to prevent version mismatch problems - # note: moved to do this before the user change below! - self.buildroot._nuke_rpm_db() - if not util.USE_NSPAWN: - # drop privs and become mock user self.uid_manager.becomeUser(self.buildroot.chrootuid, self.buildroot.chrootgid) + dropped_privs = True buildsetup = "build setup for %s" % baserpm self.state.start(buildsetup)
@@ -222,6 +222,12 @@ class Commands(object): self.plugins.call_hooks('prebuild')
results = self.rebuild_package(spec_path, timeout, check) + # In the nspawn case, we retained root until here, but we + # need to ensure our output files are owned by the caller's uid. + # So drop them now. + if not dropped_privs: + self.uid_manager.becomeUser(self.buildroot.chrootuid, self.buildroot.chrootgid) + dropped_privs = True if results: self.build_results.extend(self.copy_build_results(results)) elif self.config.get('short_circuit'): @@ -233,7 +239,7 @@ class Commands(object): self.state.finish(rpmbuildstate)
finally: - if not util.USE_NSPAWN: + if dropped_privs: self.uid_manager.restorePrivs() if self.state.result != 'success': self.state.result = 'fail'
Dne 28.7.2015 v 18:57 Colin Walters napsal(a):
In the systemd-nspawn case, while we need to be root to call the build, we still need to chown the output files.
This regressed rpmdistro-gitoverlay which was expecting to be able to `link()` the SRPMs, and it couldn't because they were root owned.
Committed as 55bd875. Thank you.
buildsys@lists.fedoraproject.org